adminUser = $this->drupalCreateUser(['administer blocks']); $this->drupalLogin($this->adminUser); $this->drupalPlaceBlock('user_login_block'); $this->drupalLogout($this->adminUser); } /** * Tests that user login block is hidden from user/login. */ public function testUserLoginBlockVisibility() { // Array keyed list where key being the URL address and value being expected // visibility as boolean type. $paths = [ 'node' => TRUE, 'user/login' => FALSE, 'user/register' => TRUE, 'user/password' => TRUE, ]; foreach ($paths as $path => $expected_visibility) { $this->drupalGet($path); $elements = $this->xpath('//div[contains(@class,"block-user-login-block") and @role="form"]'); if ($expected_visibility) { $this->assertTrue(!empty($elements), 'User login block in path "' . $path . '" should be visible'); } else { $this->assertTrue(empty($elements), 'User login block in path "' . $path . '" should not be visible'); } } } /** * Test the user login block. */ public function testUserLoginBlock() { // Create a user with some permission that anonymous users lack. $user = $this->drupalCreateUser(['administer permissions']); // Log in using the block. $edit = []; $edit['name'] = $user->getUsername(); $edit['pass'] = $user->passRaw; $this->drupalPostForm('admin/people/permissions', $edit, t('Log in')); $this->assertNoText(t('User login'), 'Logged in.'); // Check that we are still on the same page. $this->assertUrl(\Drupal::url('user.admin_permissions', [], ['absolute' => TRUE]), [], 'Still on the same page after login for access denied page'); // Now, log out and repeat with a non-403 page. $this->drupalLogout(); $this->drupalGet('filter/tips'); $this->assertEqual('MISS', $this->drupalGetHeader(DynamicPageCacheSubscriber::HEADER)); $this->drupalPostForm(NULL, $edit, t('Log in')); $this->assertNoText(t('User login'), 'Logged in.'); $this->assertPattern('!!', 'Still on the same page after login for allowed page'); // Log out again and repeat with a non-403 page including query arguments. $this->drupalLogout(); $this->drupalGet('filter/tips', ['query' => ['foo' => 'bar']]); $this->assertEqual('HIT', $this->drupalGetHeader(DynamicPageCacheSubscriber::HEADER)); $this->drupalPostForm(NULL, $edit, t('Log in')); $this->assertNoText(t('User login'), 'Logged in.'); $this->assertPattern('!!', 'Still on the same page after login for allowed page'); $this->assertTrue(strpos($this->getUrl(), '/filter/tips?foo=bar') !== FALSE, 'Correct query arguments are displayed after login'); // Repeat with different query arguments. $this->drupalLogout(); $this->drupalGet('filter/tips', ['query' => ['foo' => 'baz']]); $this->assertEqual('HIT', $this->drupalGetHeader(DynamicPageCacheSubscriber::HEADER)); $this->drupalPostForm(NULL, $edit, t('Log in')); $this->assertNoText(t('User login'), 'Logged in.'); $this->assertPattern('!!', 'Still on the same page after login for allowed page'); $this->assertTrue(strpos($this->getUrl(), '/filter/tips?foo=baz') !== FALSE, 'Correct query arguments are displayed after login'); // Check that the user login block is not vulnerable to information // disclosure to third party sites. $this->drupalLogout(); $this->drupalPostForm('http://example.com/', $edit, t('Log in'), ['external' => FALSE]); // Check that we remain on the site after login. $this->assertUrl($user->url('canonical', ['absolute' => TRUE]), [], 'Redirected to user profile page after login from the frontpage'); // Verify that form validation errors are displayed immediately for forms // in blocks and not on subsequent page requests. $this->drupalLogout(); $edit = []; $edit['name'] = 'foo'; $edit['pass'] = 'invalid password'; $this->drupalPostForm('filter/tips', $edit, t('Log in')); $this->assertText(t('Unrecognized username or password. Forgot your password?')); $this->drupalGet('filter/tips'); $this->assertNoText(t('Unrecognized username or password. Forgot your password?')); } /** * Updates the access column for a user. */ private function updateAccess($uid, $access = REQUEST_TIME) { db_update('users_field_data') ->condition('uid', $uid) ->fields(['access' => $access]) ->execute(); } }